Consumer groups skeptical about new Kerry-McCain privacy bill

Senators John Kerry and John McCain have finally introduced their highly …

Companies may soon be required to be up front with users on what personal information they are collecting and how it will be used, lest they face action from the Federal Trade Commission (FTC). Those are some of the provisions of the Commercial Privacy Bill of Rights Act of 2011, formally introduced on Tuesday by Senators John Kerry (D-MA) and John McCain (R-AZ). The bill also requires companies to offer easy-to-use opt-outs and provide a complaint mechanism to their customer base.

"If there was no law to stop [a] person from collecting or selling that personal information collected, you'd feel beyond violated," Kerry said during a press conference on Tuesday. "It goes on unregulated every day in the digital world... Right now, there is no law protecting the information that we share."

The privacy bill is meant to address that concern in a single, unified package. According to the bill, any personal information, unique identifiers, geographic location, e-mail addresses, phone numbers, bank and credit account numbers, non-work phone numbers, biometric data, and the like are all covered as information that should be protected, and individuals should be able to access that information anytime in order change it or opt out. If the individual decides to leave the service or company, he or she can demand that any collected information be purged.

And that's just the beginning. Users must be notified every time a third party (read: advertising network) begins to access some of the data; such access will be limited to using only what is necessary to process a transaction or deliver a service. The FTC will get full enforcement rights as well. State attorneys general will have civil enforcement rights as well.

The FTC is also being tasked with creating the rules for a voluntary "Safe Harbor" program that would be overseen by nongovernmental organizations. Such programs "would have to achieve protections as rigorous or more so as those enumerated in the bill," according to Kerry—the tradeoff would allow companies to be exempt from other parts of the bill (such as regular notifications when data collection practices change) as long as the FTC thinks the program is sufficient.

What the bill does not currently offer is any form of "Do Not Track" mechanism, nor does it allow states (outside of their attorneys general) to offer stronger protections. Individuals also do not get the ability to bring private legal action against companies for violating their privacy.

Reactions are mixed

The introduction of this bill has been long-anticipated—a draft has already been circulating for weeks, and Kerry implied recently that it was on the verge of its public debut. And, as expected, several companies immediately chimed in to support the plan. Verizon, for example, emphasized that it has a "longstanding commitment to privacy as a consumer-trust issue" and the bill was a "great start toward modernizing privacy rules for the Internet age." The Computer & Communications Industry Association also applauded the bill, adding that its members are glad that Kerry and McCain avoided technical mandates by focusing on information practices.

US Commerce Secretary Gary Locke threw in his early support as well. "We are still reviewing the bill introduced today; we are pleased that it incorporates key principles the Commerce Department recommended in its privacy report and look forward to working with Congress as legislation moves forward," Locke said in a statement.

Not everyone is cheering, though. A coalition of consumer groups—including Consumer Watchdog, Center for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse, and Privacy Times—said that while they welcome the effort, they cannot yet get behind it. The groups reiterate the need for "Do Not Track" legislation and enforcement, saying the bill relies too much on the "notice and choice" model that already exists at most companies. They also criticize the bill for giving "special interest treatment to Facebook and other social media marketers" by allowing them to continue gathering data without real safeguards, and they especially don't like that the Department of Commerce—meant to promote the interests of companies, not individuals—has some say in developing the privacy policies.

"Title VII of the act, which appears to usurp the FTC’s traditional lead role in protecting privacy and turn much of its responsibility over to the Commerce Department, is troubling. It is important to note that the Commerce Department—as it should—primarily seeks to promote the interests of business. It is not, nor should it be expected to be, the primary protector of consumers’ interests. Commerce, therefore, must not have the lead role in online privacy. That is a role best left to a new independent Privacy Protection Office and the Federal Trade Commission," the groups wrote in a letter to the two senators.

"Protecting consumers’ privacy rights should transcend politics and we thank you for exercising leadership and seeking to deal with this challenge in a bipartisan way. But we must also express our concern that your Commercial Privacy Bill of Rights Act needs to be significantly strengthened if it is to effectively protect consumer privacy rights in today’s digital marketplace."